I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?
I have 2 units Cisco WLC 5508 running software version 7.0.220 with 70 over units Cisco AP 1262N and 1242AG. Some of wireless clients having problem to get the correct IP address from the DHCP server. There are 2 units of Microsoft DHCP. Both DHCP server ip have been configured on the Interface at the WLC. The core switch also being configured with ip helper. I've attached the debug output of one of the wireless client during the problem.
I have a problem with a customer of mine. We have deployed two new WLC5508 running r126.96.36.199 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble.The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web- browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this: url...
I we manually replace "cisco6a19c4" with 188.8.131.52 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems. [code]Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.DHCP to guest-users from separate broadband-router which is def gwy and "DNS".On the virtual interfaces no hostname is configured.
I have been noticing in my trap logs that there are an excessive amount of Client Association/Authentication Failures. I cannot figure out why. I have a Cisco 5508 WLC with 81 AP's (1131ag, 1142abgn, 1262N) models. The wireless devices are on a Windows Domain and use 802.1x EAP authentication, authenticating the user and computer info with a RADIUS Server. I look at the logs and all it can tell me is Reason:Unspecified ReasonCode:1. I read that the Reason Code is due to "Client associated but no longer authorized" but to be honest I am not sure what that means.
Installed a new 5508 WLC last week, and finished bringing 68 new 3602i access points online in our College Dorms. We are seeing a lot of "Client De-authenticated" errors "Reason: Unspecified Reason: Code 1. Years ago I asked about error code 1. The reply from Cisco was: "The programers put the code in. It basically means we don't know what the problem is."Got a call from one of the dorms stating that students were getting knocked off the network while going to sites. If a student is wired, network is solid.Walked the dorm in question and was getting full bars of signals at all times, and was able to stream a movie from my Ultraviolet account without any break or slowdown as I moved from access point to access point. So.. my device, an iPad, was fully mobile and did not experience any disconnects.Did observe one student using a MacBook Pro. This student was constantly loosing connection to the access point. Checked the controller for the MAC of the student's computer. I did find deauthentication errors. BUT... this student's error was the computer was receiving an IP address from the DHCP that was already in use. At the computer the error message was a timeout issue.I am just learning the ropes on the 5508. Have used 3 4404s for the past six years.
We have 3 5508 WLCs (A, B, & C) and several LAPs (1140, 3500, 3600). The APs learn the controllers IP addresses through DHCP Option 43. When we setup a new site we put the IP address of the controller we want the AP to join first. Lately, I've noticed that regardless of which WLC IP I put first when I setup Option 43 the LAPs are always joining a particular controller.
We have two WLC's 5508. Following are its interfaces & details:mgmt 10.49.5.251 on wlc1 & .252 on wlc2 access p 10.49.6.251 on wlc1 & .252 on wlc2 there is no AP manager interface seen on both wlc's nor configured. both wlc1 & wlc2 are connected each to two switch ports, configured as normal trunk link each.LAG is enabled on both WLC's.
I just purchased a Linksys WRT120N and have a couple of issues, one of them may force me to return it to the point of purchase.Once WPA2 is enabled, on the Wireless-Advanced Wireless Settings screen,, the Authentication Type (which was greyed out by default) changed from Auto to Open and remained greyed out. I want to change this back to Auto.The other issue is that on the Status screen, the IP addresses of the domain name servers (DNS) are incorrect. This screen displays the DNS server addresses sent by the ISP and are not displaying the DNS addresses that are hard coded on the main Setup screen - although if I run nslookup, the DNS server address displayed in the console window, is the one that is displayed on the Setup screen.
The more important of the two is the Authentication Type being Open and greyed out. If this is something that cannot be changed, then I will be forced to return this for credit as it was the last unit on the shelf. I had reset the router back to the factory defaults and reconfigured it again, but this did not resolve either issue. I'm tempted to think that both issues may be the result of defective firmware, which shows version 1.0.06.
We are using the CISCO-DOT11-ASSOCIATION-MIB in a Cisco Air AP 1140 device with release 12/4(21a)JA1 to find out the radio type of wireless client (B/G or N). The clients in question are of type Wireless N and Wireless B/G. We are querying cDot11ClientDevType and cDot11ClientRadioType but the relation between the returned values and client/radio type is not clear:
2 devices returned: cDot11ClientDevType = 102 ==> pc4500Client(102) - client with a 4500 radio and ClientRadioType=2==> ccxClient(2) - CCX- compatible radio1 device returned: cDot11ClientDevType = 1==> unknown (1) – unknown and ClientRadioType= 1==> unknown(1)
Questions: On a Cisco Air AP 1140 device
What OID needs to be polled to find if the client's radio type?What value is returned by this OID if the radio type is B/G?What value is returned by this OID if the radio type is N?
The Release Notes for 184.108.40.206 of WLC 5500 has a table which title is "Client Type", and it shows wireless adapters. My question is, what kind of customer means? Wireless clients or clients for an specific application? If it was the first option, does it mean tha just this adapters could connect to my wireless network?
Just purchased an E2000 (Firmware version 1.0.03) to use with DDNS. Much to my surprise there seems to be a problem with saving the password at the configuration screen. [code] With the above settings entered and the Update button pressed favorable results are obtained; the router reports that DynDNS.org updates okay. However once the "Save Settings" button is pressed an update fails with the error "Authorization failure bad ID or password".Is anyone else experiencing this issue? Is the password field limited to certain characters?
We are trying to set up Out of band connection for Cisco 5508 WLC and when we try to ssh to the Service port from a remote switch, this fails. SSH or Telnet to the Management IP address works fine. The Service port and Managment IP are in the same IP scope but different subnet..i.e 172.16.10 for Management and 172.16.99 for Service port. Also, as this set up will be HA (AP SSO) in future, for which DHCP is recommended for the service ports, just wondering if SSh will be possible.
I have a network setup as live-ssid. It is using the Interface for VLAN 14. All APs under the default-group AP Group obviously allows clients to DHCP an address from VLAN 14. This is working fine.
I created a new AP Group called 3rd Floor. This has the live-ssid setup, but instead of using the Interface for VLAN 14 it is setup for the Interface for VLAN 50. I have all the APs on this floor moved to the 3rd Floor AP Group.
The problem is that 95% of the clients on 3rd Floor are still picking up DHCP addresses from VLAN 14. I checked and all the clients are connected to the APs on the 3rd Floor. Only 4 Clients are getting an address from VLAN 50.
I'm not sure if something is configured wrong or not since some devices pick up the new VLAN and the rest don't. I've manually reboot the APs on the 3rd floor to see if that would fix it.
This is terminating on an ASA c5510 sec+ running 8.3(2) Client devices running XP with the same VPN client get an address from the ASA pool e.g. 10.10.50.1 with no default gateway. Users are able to connect without a problem. Windows 7 (32bit) clients with this same VPN client get this address but get a default gateway 10.10.50.2 and are unable to connect for obvious reasons.
The problem is.....When I log in, the client does its start-up bit, and then displays a "This certificate is intended for the following purpose(s):" message. If I decline the certificate, it gives me the error message shown in the image, but I can otherwise continue and establish my VPNs with no problem.
Unfortunately, the certificate it selects has nothing to do with my organization ( in fact, the certificate is for "*.whitepages.com" - see images). To make matters worse, I can not find this referenced certificate anywhere under my user context in Windows.
I have tried removing, rebooting, and re-installing - it does no good.How do I force the client to stop using this incorrect certificate, and to at least use one that belongs to my organization?
After we change the firewal from PIX515E to Fortigate311B, one notebook which installed Cisco PN client 220.127.116.110 in WIN7 64bits can not access VPN because the default gateway is not correct. For example the IP get from Ip pool is 172.28.22.10 but the default gateway IP is 172.28.22.1. ?
I have a Linksys WRT310N v1 with firmware v1.0.10 build 002Jul 19, 2010 My router fails to renew it's DHCP lease from my cable provider, causing internet access to drop. I can still access my cable modem at 192.168.100.1, but I must do a "IP Address Release" then "IP Address Renew" to get back internet access. The router works fine otherwise.
DHCP enabled with default settings. Dynamic IP range from 192.168.0.100 - 192.168.0.199.Router shows laptop with 192.168.0.199 however when I check the IP on laptop I have 192.168.100.10 and both laptops are connected on my SSID with 90% signal strenght.
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password".TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero. Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get: ****************************************** Type : Error Source : acvpnagent Description : Function: CTransportWinHttp::WinHttpCallback File: .CTransportWinHttp.cpp Line: 2150
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan. A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution.This is an intermittent fault and only effects users with both LAN and WLAN enabled. Running ACS 18.104.22.168, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.Certificates are issues by group policy and only using computer authentication.
I am designing wireless controller solution for one of our customer network with Cisco 5500 series controller, wireless client authentication part.
1. There are 25 departments around the campus, each will be given one or two access points. 2. One Cisco AIR-CT5508-50-K9 Controller shall be used. 3. Single SSID/ VLAN shall be used for entire campus. 4. Wireless Authentication credentials used by one department shouldn’t work for other department
We've recently boughten new equipment to upgrade/replace some of our aging wireless hardware. We're moving to a pair of 5508 controllers and changing over to ACS 5.4. Currently we're just doing MAC filtering with ACS 4.2 and local users. I'd like to move most of our SSIDs to some type of AD authentication. Are there any all encompassing guides that layout the design behind that? So far I haven't had much luck finding one!
Also, would it be possible to maintain some of the local ACS users/MAC filtering? We have some mechanical equipment that connects to our network (separate SSID) but cannot join a domain.
I having some troubles with Web Authentication in a WLC 5508 version 7.2 to make authentication with the corporative phones, ANDROID GingerBread 2.3.6 model SAMSUNG GT-S7500L. When I try to connect to the VisitorsWirelessLAN in order to authenticate with web authentication the page never comes, in fact the phone never gets the IP. I have an iPhone and I have not problems, I have a Samsung Galaxy S2 with ICS 4.0.1 and works perfect, is only with gingerbread
I've set up several local network users (Security > Local Net Users) on the WLC (5508 running 22.214.171.124). Whenever I try to connect with one of these user accounts (I'm testing this out for now), the attempt is unsuccessful and I see an "AAA Authentication Failure for UserName: xxxxxxx User Type: WLAN USER" in the Trap Log. I thought that after trying to authenticate through a RADIUS server, the local user database would be polled and then a user account in that database would be able to authenticate.
I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:
1d02h: RADIUS: Marking server xxx.xxx.xxx.xxx:1812,1813 dead 1d02h: RADIUS: Tried all servers. 1d02h: RADIUS: No valid server found. Trying any viable server 1d02h: RADIUS: Tried all servers. 1d02h: RADIUS: No response for id 10
I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA. In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down. I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain. As a condition, it shows up as DomainName:External Groups. I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store. I adjusted the Identity Sequence and now I receive a the following error:
15039: Selected Authorization Profile is Deny Access. So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.
We just got a new 5508 wireless controller and the question we have is : can we get wireless users to authenticate to an Active Directory server to get access to the network? I know we can get the authentication done with an RSA server, but what about plain AD?
We are using WLC-5508 in our corporate. For authenication we have implemented ACS with LDAP configured as external user database. We can able to get authenicated for Web based authenication. When it is configured for EAP-FAST, authenitication is not happening.
I'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
I am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.
if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.
I have two 5508, no anchor, only one SSID with internal web authentication using radius server.Under "Configuring Mobility Groups", Cisco guide says: "If a client roams in web authentication state, the client is considered as a new client on another controller instead of considering it as a mobile client".
I understand that if a client that has already autheticated via web roams between two LAPs that are associated with different WLCs, it has to reathenticate.